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1 Introduction 

Many block ciphers use substitution boxes (S-boxes) to bring the confusion into the cipher, 
and hence the design of S-boxes plays an important role in the design of cryptographic 
systems. To achieve a correct inverse decryption and for ease of the software implemen¬ 
tation, S-boxes are usually designed as permutations over a characteristic 2 finite field 
of even extension degree, namely F22m. To resist against linear cryptanalysis, differential 
cryptanalysis and other cryptanalysis like algebraic attacks, one would like the S-boxes 
having high nonlinearity, low differential uniformity and high algebraic degree simultane¬ 
ously. The inverse function over F2n is such a function, which is used to construct 

the S-box of the Advanced Encryption Standard (AES) with n = 8. 

The differential uniformity |15] of f{x) G F2"[x] is dehned by 

Aj = max{A(a, b)\a,b G F2", a 7^ 0}, 

where N{a, b) denotes the number of solutions x G F2>^ of the equation f{x + a) + f{x) = b. 
It is well known that Aj = 2 is the minimum possible value of Aj. Differentially 2-uniform 
functions are called almost perfect nonlinear (APN) functions which provide the optimal 
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resistance to differential attacks. A recent progress on APN functions can be found in [6l[9] 
and the references therein. Up to now, there is only one known APN permutation, which is 
defined on F 26 [2], and the existence of more ones on F 22 m remains open. Therefore, finding 
differentially 4-uniform permutations with good cryptographic properties is an interesting 
and active research topic for the goal of providing more choices for S-boxes. 

Recently, there has been significant progress in finding functions with low differential 
uniformity O [3 [101 1131 US El 12D1 123] • In [3l 0] Bracken et al. firstly studied highly 
nonlinear monomials and binomials which are differentially 4-uniform permutations over 
F 22 m. After that, many new differentially 4-uniform permutations over F 22 m were coil- 
structed by composing the inverse function and permutations over F 22 m. Qu et al. [T81IT9] 
applied a powerful switching method (which can be seen in [9] and was initially proposed 
by Dillon in his talk in the ninth international conference on finite fields and their ap¬ 
plications) to construct differentially 4-uniform permutations and found that the number 
of CCZ-inequivalent differentially 4-uniform permutations over F 22 m grows exponentially 
when m increases. Later, some new differentially 4-uniform permutations which are CCZ- 
inequivalent to the inverse function were obtained by composing the inverse function and 
cycles on F 22 m m E]. Zha et al. [23] presented two new families of differentially 4- 
uniform permutations by modifying the values of the inverse function on some subhelds 
of F 22 m. In [2T] Tang et al. gave a construction providing a large number of differentially 
4-uniform bijections with maximum algebraic degrees and high nonlinearities. In this pa¬ 
per, we will revisit differentially 4-uniform permutations in |23] which are constructed by 
modifying the inverse function on some subsets of F 22 m, and show some new differentially 
4-uniform permutations which have high nonlinearities and algebraic degrees. 

The rest of this paper is organized as follows. In Section 2, some preliminaries needed 
later as well as a brief overview of known differentially 4-uniform permutations are pre¬ 
sented. We present some new constructions of differentially 4-uniform permutations in 
Section 3, and show their cryptographic properties in Section 4. Finally, we conclude the 
paper in Section 5. 


2 Preliminaries 

We define the trace map from F 2 'i onto its subfield F 2 fc (with k\n) as 

Tr^ [X) = X + X + X 

n—1 ^ 

and denote the absolute trace map from F 2 ^ onto the binary subfield F 2 by Tr(x) = ^ . 

1=0 

2"-l 

The algebraic degree of f{x) = ^ F 2 "[a^] is denoted by deg /, which equals 

i=0 

to the maximal 2 -weight of the exponent i with Oj 7 ^ 0 , where the 2 -weight of an integer 
is the number of ones in its binary expression. It is known that deg / is upper bounded 
by n — 1 if / is a permutation on F 2 ". If deg / < 1, then / is called an affine function. 

For a function / : F 2 r> —>■ F 2 n and any (a, h) G F 2 n x F^n, the Walsh transform of / is 
dehned as 

f^(a,b):= ^ (-l)TrD*+'>/(^)) 

XG¥21T' 


2 


and the Walsh spectrum of / is W/ := {f'^{a,b)\a € ¥ 2 n.,b € The nonlinearity 

MC{f) of / is defined as 

MC{f) = 2”"^ - ]- max |u;|. 

Z wGWf 

For odd n, the nonlinearity NC{f) is upper bounded by 2”“^ — 2^“; and for even n it is 
conjectured that MC{f) is upper bounded by 2”“^ — 2'2 [3]. We call a function maximal 
nonlinear if its nonlinearity attains these bounds. 

Two functions /, g : ¥ 2 ^ —>■ F 2 ™ are called extended affine equivalent (EA-equivalent) 
g = Ai o f o A 2 + A for some affine permutations Ai and A 2 and an affine function A. 
Nonconstant EA-equivalent functions have the same algebraic degree. 

Two functions / and g from F 2 " to itself are called Carlet-Charpin-Zinoviev equivalent 
(CCZ-equivalent) if the graphs of / and g are affine equivalent. It is shown in [7] that 
EA-equivalence implies CCZ-equivalence, but not vice versa. Every permutation is CCZ- 
equivalent to its inverse. Differential spectrum and Walsh spectrum are CCZ-invariants 
while algebraic degree is not a CCZ-invariant mm- 

Many new classes of differentially 4-uniform permutations are introduced by using the 
definition of CCZ-equivalence and CCZ-invariants. One may refer to [H HU HSl EI] for 
recent progress on this topic. 

Below we always denote the inverse function by x~^ with the convention that 0“^ = 0. 
Let n, k and q be positive integers with n > 1, k\n and q = 2^ . Let a; be a primitive 
third root of unity in the algebraic closure of ¥q. Clearly, a; G Fg if /c is even and uj ^¥g 
otherwise. 


3 Some constructions of differentially 4-uniform 
permutations 

In this section, we revisit a class of differentially 4-uniform permutations of the form 
x~^ -¥ t{x^ -|- x)‘^'^~^ -|- t in [23]. We can not only unify some previous constructions, but 
also present new differentially 4-uniform permutations of this form. 

Let 5 be a subset of ¥ 2 ^ satisfying: (a) either both of 0 and 1 or neither of them 
belongs to S and; (b) G S holds for any x G S' \ {0,1}. Let 6s{x) be a characteristic 
function of S, i.e., = 1 if x G S and Ss{x) = 0 otherwise. According to the Lagrange 

interpolation, we have 5s(x) = 1 + 0 

ees 

Inspired by the ideas of [19] and [21], we discuss the cryptographic properties of the 
function 

f{x) = x~^+ 6six) (1) 

over F2n in the sequel. 

Proposition 1 . The function f defined by (1) is a permutation over F2" and its com¬ 
positional inverse is g{x) = {x 5s'{x))~^, where S' is a subset of ¥ 2 ^ satisfying that 
x~^ -t- 1 G S' holds if and only if x ^ S. 

Proof. Assume x,y G F 2 ^ with /(x) = f{y). Then we have x~^ 6s{x) = y~^ -\- 6s{y). 

If Ss{x) = 5s{y), we get x~^ = y~^, which leads to x = y. If 6s{x) 7 ^ ds{y), we get 
x~^ -|- 1 = y~^, which, excluding the cases of (x,y) = (0,1) or (x, y) = (1,0), implies 
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y = and 6six) ^ 55(y^). It is a contradiction with the hypothesis on S. Then we 
deduce that / is a permutation over F2n. We can easily check that gifix)) = /(fl'(x)) = x, 
which completes the proof. □ 

Proposition 2. Let f be defined as in ( 1 ). Then f is a differentially ^uniform permu¬ 
tation over F2^ if and only if for any a G F2^ with a 0,1, one of the following two 
statements holds: 

1 ) For Ss{a) = ^^(O), the cases of 63(0:0) = 6s{io‘^a) and of x‘^ + ax + = 0 with 

6six + a) 6six) cannot occur simultaneously; and 

2 ) For 63(0) the cases of 63(000) 7^ 6sioj‘^a) and of x'^ + ax + = 0 with 

6six + a) = 6six) cannot occur simultaneously. 

Proof. Let a,b £ F2'i with a 7^ 0 . We consider the solutions of the equation fix + a) + 
fix) = b, i.e., 

(x + a)“^ + 55 (x + a) + x“^ + ^^(x) = 6 (2) 

over F2". By Proposition [ 1 ] we get that / is a permutation over F2'i, which implies that 
Eq. ( 2 ) has no solution if 5 = 0 . Below we assume 6 7^ 0 and x is a solution of ( 2 ). When 
X = 0 or a, we get 

b = a~^ + 63(0) + ( 55 ( 0 )(:= bo) 

from ( 2 ). For other possible solutions namely ones with x 7^ 0 and x a, we divide into 
the following two disjoint cases to discuss. 

Case I: If ^^(x + a) = ^^(x), then we have (x + a)“^ + x~^ = b from ( 2 ), which leads 
to x^ + ax + I = 0. 

Case II: If 6six + a) 7^ 6six), then we have (x + a)“^ + x~^ = 6 + 1 from ( 2 ). If 6 = 1 , 
we have no solution of (2). Otherwise, we obtain x^ + ax + = 0 from (2). 

For any pair (a, 6) with 6 7^ bo, there are at most fonr solutions of ( 2 ) in Cases I and 
II. In the sequel, we consider the case of 6 = 69 7^ 0 . 

If 63(0) = 63(0), then we have bo = a~^. In this case, we get two solutions uia and w^a 
in Case I, which need satisfying 63(000) = 6siLo‘^a). Similarly in Case II, Eq. ( 2 ) tnrns to 
x^ + ax + = 0. 

If 63(0) 7^ 65(0), then we have bo = a~^ + 1 . In this case, we get two solutions 00a 
and 00'^a in Case II, which need satisfying 63(000) 7^ 63(00'^a). Similarly in Case I, Eq. ( 2 ) 
becomes x^ + ax + = 0. 

For constructing differentially 4 -uniform permutations, we want Aj- < 4 when a 7^ 0,1 
and 6 = 69. More precisely, we need to find an appropriate set S such that there are at 
most two solutions in Cases I and II when a 7^ 0,1 and 6 = 69, which equivalent to the 
two statements in Proposition [ 2 j 

From the definition of S, we always get 65(0) = 65(1) and 63(00) = 63(00“^). Then we 
can easily check that there are exactly four solutions 0, l,oo,oo'^ of (2) when a = 69 = 1, 
which implies that Aj = 4 . The desired conclusion then follows. □ 

We note that the function /(x) = x~^ + ( 5 s(x) is a special case of the switching method 
studied in | 19 j . In Theorem 5.3 of m, the composite inverse of G is of the form G ^ = 
l/(x + gix)) = l/(x + I) if gix) = 1 ; and it is 1 /x if gix) = 0 . If S' = supp(5') is taken, 
then it immediately lead to the function /. Our main contributions are characterizing new 
subsets S and obtaining new constructions of differentially 4 -uniform permutations. 

According to Proposition [21 we will give some constructions in the sequel by choosing 
different sets S. 
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3.1 The relevance with known constructions 

In this subsection, we will give results related to some known constructions. First we list 
a lemma needed below. 

Lemma 1. flT]/ For any a,b € F 2 n with a 0, the polynomial f{x) = + ax + h is 

irreducible over F 2 " if and only i/Tr( 6 /a^) = 1. 

From Proposition [2] and LemmaHJ we can obtain the following construction. The proof 
is trivial and we omit it here. 

Theorem 1. Let S = ^ 2 ^. Then f is a differentially 4-uniform permutation over F 2 ri if 
k is even or A: = 1,3 and ^ is odd. 

The result of Theorem [1] includes the constructions of differentially 4-uniform permu¬ 
tations in Theorems 1 and 3 of [23] in the case of t = 1. 

We need the following lemma which can be derived from Lemma 2 in [ 2 T] . We present 
here its proof for completeness. 

Lemma 2. For any a € F 2 ^/{0,1}, define the polynomial pl{x) := x^ + ax + G F 2 ^ [x]. 
If ia{x) = 0 has two solutions A and v in F 2 ", then we have Tr(j^) = Tr(^;^) = 0. 

Proof. If p,{x) = 0 has two solutions A,z^, from Lemma [1] we have Tr(j^) = 0 and 
A, 7 ^ 0,1 since a 7 ^ 0,1. Since 

1 1 1 1 

A -j- 1 r' -j- 1 Xn -\- X n -\-1. 0.^(1 -t- u) ^ T n -1- 1 

and = a + a?, we get that and ^ 7 ^ are the roots of equation 

-b (a + a?)x -b 1 -b a = 0. Note that Tr( = Tr( 7 ;^) = 0 if and only if there exist 
two values u,v ^¥ 2 ^^ such that = u + and 77 ^ = v + v‘^. Assume u and v are the 

roots of equation x^ -b sx -b p = 0 , then u -b and v v‘^ must be the roots of equation 
x^ -b (s -b s^)x -b p(l -b s -b p) = 0 . 

We choose s = a. By Lemma [T] and Tr(Y^) = 0, there exists an element p G ¥ 2 ^ 
such that p^ -b (1 -b a)p -b (1 + a) = 0 or namely, p(l -b s -b p) = 1 -b s. Then we have 

~ ''^hich implies that equation x^ -b sx -b p = 0 
actually has two roots in F 2 >i. □ 

Theorem 2. Let S be a subset of F 2 »i satisfying G S and Tr(x) = 1 for any x € S. 
Then f is a differentially 4-uniform permutation oxer F 2 ^. 

Proof. Since Tr(x) = 1 for any x G S', we have 0 0 S' and Tr(^ 7 ^) = 1 for any x G S'. 
If Ss{a) = (^ 5 ( 0 ), we can deduce that the solutions of p(x) = 0 satisfying 6 s{x + a) = 
Ss{x) = 0 from Lemma [2j If 6 s{a) (^s'(O), then we get a G S' and Tr(^^) = 1, which 

implies that there are no solutions of p(x) = 0 from Lemma [T] We complete the proof by 
Proposition [2j □ 

We note that the compositional inverse of the permutation / defined in Theorem [2] is 
exactly the known differentially 4-uniform bijection presented in Construction 1 of m- 
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3.2 New constructions from unions of two subfields of F 2 " 


In what follows, we introduce two new constructions by combining two suitable subfields 
of ^2^. To do this, we need the following lemma. 

Lemma 3 . Let ki and k2 be divisors ofn and S = F2fci UF2fc2 • Then 7^ 6 s{x‘^+xy) 

for any x,y G S with x + y ^ S. 

Proof. Assume x,y G S with x+y 0 S, without loss of generality, we assume x G F2fei \F2fe2 
and y G F2fc2 \ lP’2'=i • Obviously, we have G F2fc2 and = 1 . If < 55 (x^ + xy) = 1 , 

then we obtain x"^ + xy G F2fc2 > which implies 

2 2l+'"2 , 2*^2 

X + xy = X + x y. 


Raising the above equation by 2 ^i-th powers, we have 


^ , 2'“l 

X + xy = X 


2l+fc2 


2fc2 2'=! 


+ x y 


Then we get 

(x + x^'“^)(?/ + ?/^''^) = 0 

by adding the above two equations. It leads to x G F2fc2 or y G F2fci, which is a contradic¬ 
tion. □ 


Utilizing Proposition [ 2 ] and Lemma [ 3 l we have the following theorems. 

Theorem 3 . Let ki and k2 he even divisors of n and S = F2fci U F2fc2. Then f is a 
differentially f-uniform permutation over F2^. 

__ 2 

Proof. If 5 s{a) = Ssi^), then we get a G S. By Lemma [ 3 l we have that 

dsix"^ + xy) for any x,y G S with x + y ^ S, which implies that the equation fj,{x) = 0 has 

no solution. 

If 6s{a) 7^ 55(0), then we have a ^ S. We assume 5 s{uja) 7^ 6s{oj'^a) is true and oja G S 
and uffa^S without loss of generality. Since S' = F2fci U F2*;2 and ki and k2 are even 
integers, we obtain G S from ua G S and to G S, which is a contradiction. The proof 
is completed. □ 

Theorem 4 . Let ki be an even divisor ofn with gcd( 3 ,A:i) = 1 . Assume 6|n, n/6 is odd 
and S = F23 U F2fei. Then f is a differentially 4 -uniform permutation over F2". 

Proof. If 6s{a) = 6 s{ 0 ), similarly to the proof of Theorem^ we can show that the equation 
fj,{x) = 0 has no solution. 

If ds{a) ^5(0), 6s{wa) 7^ 5 s{uffa) holds only if uja G F23 and 0 S or G F23 
and uja ^ S. Without loss of generality, we consider the case of wa G F23 and ^ S. 
Then we have o® = cu^o, = a and 

Tr(^) = Tr?(Tr®(Tr^(^))) = Tr?(Tr®(^)) 

since Trf() = 1 for any x G F23, which implies that p{x) = 0 has no solution while 
Ss{uja) 5 s{uj'^a). This completes the proof. □ 
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3.3 A construction from unions of subsets of F 2 " 

In this subsection, we introduce a new construction by combining some subsets of F2' 


n . 


Theorem 5 . Let k be even and ^ be odd and let I be a divisor of k. Let Si be a subset 
of¥2-n satisfying G Si and Tr(x) = 1 for any x G Si. Assume S = SiLi (Fg \ F2i) or 
S = ¥g\ F2i, then f is a differentially 4 -uniform permutation over F2^ if 

1 ) I is even; 

2 ) I = 1 and k = 2 (mod 4 ); or 

3 ) I = 3 and k = 6. 

Proof. If 5 s{a) = 6 s{ 0 ), we get a ^ S. From Lemma [21 if /i(x) = 0 has two solutions 
X,iy, then we have ly = X + a and A,i^ 0 5 i. Suppose fi{x) = 0 with 5 s{X) / ds{iy) 
holds. Without loss of generality, we assume 6 s{iy) = 0 and 6 s{X) = I, which implies that 
A + a ^ S' and A € S'. We get A G Fg \ F2i since X ^ Si. Then we obtain 

A^ + aA + —— = 0 ( 3 ) 

1 + a ^ ^ 

and 

A 2 + an + ^ = 0 . ( 4 ) 

Since a ^ S,we have that a ^ Fg or a G F2i. If a ^ Fg, we can deduce that A = 1 + , 

2 7i/k 

which implies a'^ = o. Since n/k is odd and a'^ = a, we obtain a'^ = a, which is 

a contradiction. If a G F2i, then we get A + o G Fg \ F2i, which contradicts our first 
assumption A + a 0 5 . Hence, fi{x) = 0 with 5 s{x + a) 7^ ds{x) cannot holds. 

If 6 s{a) / 55(0), then we have a G S. When a G Si, then we have Tr(j^) = 1 , 
which implies that there are no solutions of /r(x) = 0 . When a G Fg \ F2i, we assume that 
ds(cva) / ds(uj^a) is true. 

If I is even, then we have ioa,io‘^a G Fg \ F2i for = co. It implies that 6 s{ioa) = 
6 s{u}‘^a) = 1, which is a contradiction. 

lil = 1 and k = 2 (mod 4 ), 6 s{coa) 7^ Ss{io‘^a) can be true only if a = w or a = o;^. For 
a = we obtain that Tr(Y^) = Tr^(Y^) = 1, which implies that /i(x) = 0 has no 

solutions in this case. 

If A; = 6 and I = 3 , 6 s{oja) 7^ 6 s{u}‘^a) holds only if a® = ua or a® = w^a. We consider 
the case of a® = for example. We have Tr(Y^) = Tr^(Tr3(Trg (j^))) = 1 , which also 
deduce that there are no solutions of fi{x) = 0. 

Thus, the cases of 5 s{aja) 7^ 6 s{u}‘^a) and of iJ.{x) = 0 cannot occur simultaneously if 
¥" <^5(0). The proof is hnished by Proposition [ 2 l □ 

Remark 1 . In Theorem\^ if Tr{x) = 1 for any x G Fg \F2i, then f is equal to one 
differential 4 -uniform permutation defined in Theoreml^ which is CCZ-equivalent to the 
one of Theorem 1 in m- Theorem 0 exhibits some specific examples of Theorem 5.3 in 

m- 
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3.4 Two constructions from inverse sets of affine subspaces 

of F 2 " 

Let ti G F^n with Tr^(ti) = 0. We consider the subset S' = {x G F 2 « : x~‘^ = x~^ + ti}, 
which is the set of the inverses of the elements in the non-empty affine subspace {x G F 2 n : 
x^ = X + ti}. Obviously we have 0 0 5 and (^^(O) = 0. 

Lemma 4. For a G S, the cases of 5s{u}a) / 5s{co‘^a) and of fifx) = 0 cannot occur 
simultaneously if 

1) q ^ l(mod 3); 

2) q = 2(mod 3) and ti 0 F^; or 

3) ^ is odd, ti G ¥q and q = 2 or 8. 

Proof. Assume Ss{uja) 0 Ss{co‘^a), without loss of generality, we consider the case of 
ioa G 5 and io'^a 0 5. Since 5 = {x G ¥ 2 ^ '■ x~‘^ = x~^ + ti}, we get a~‘^ = a~^ +ioti when 
q = l(mod 3) and a~'^ = Lda~^ + u'^ti when q = 2(mod 3). 

Since a € S, we get a~^ = a~^ + ti. When q = l(mod 3), we have ti = 0, which is a 
contradiction. When q = 2(mod 3), we have -|-ti = 0 and a~^ = ujti, which implies 

t\ = ti- Therefore, we achieve the goal when q = 2(mod 3) and ti 0 ti. When ^ is odd 
and g = 2 or 8, we need to show that there are no solutions of fi{x) = 0. From Lemma 1, 
a direct proof is to show that Tr”(j^) = 1. We get 

= Tr^(Trf (TV-,(^))) 

= Tr?(Trf (^)) = = 1, 


which completes the proof. □ 

Lemma 5. If a ^ S, there are no solutions of fi{x) = 0 with 5s{x + a) 0 Ss{x) if the 
equation 

{ti + + {tl + ti)a^‘i-^ + {tl + ti)a^‘i-^ + + (tf + ti)a^^ 

+ + {1 + ti)a^‘^~‘^ + + {t\ + ti)of^ + {1 + ti)a^^~^ + (5) 

= 1 


has no solution in ¥ 2 ^ \ Fg. 


Proof. We assume that ^(x) = 0 has two solutions x,x + a satisfying ^^(x) 0 5s{x + a). 
Without loss of generality, we consider the case of x G 5 and x-|-a0 5. Asx0O, x0a 
and x^ -|- ax + = 0, we have a 0 1 and 


9 1 T a 1 1T a 

X-2 +-+ =0. 


( 6 ) 


From X G 5 we get x = x ^ + ti. Substituting it to the g-th power of (6), we obtain 


X 


-2 


1 + a« 
ai 


-1 


+ t 1 + 


l + a? 
o'? 


+ 


1 + 0“? 
a29 


= 0 . 


If a G Fg, we get tf + = 0 from (6) and (7), which leads to ti 

(x + a)^ + a(x + a) + = 0, we derive (x -|- a)“^ + ^^(x -|- a)“^ -|- 


(7) 

= Since 

a 

= 0 and 



(x + + ^^(x + a)~'^ + = 0 for a E Fg. Combining the above two equations, 

we may draw the conclusion that (x + a)“^ E Fg or x + a E 5. Since x + a 0 5, we get 
(x + a)“^ E Fq and x E Fg, which contradicts the first assumption x E S'. Therefore, we 
obtain a 0 Fg and 

-1 _ (^1 + h ) a ^'^ + + (1 + + 1 

^ “ aS-J-i + o'? 

from ( 6 ) and (7). Substituting it into ( 6 ), we can derive Eq. (5) by some trivial compu¬ 
tation. The proof is finished. □ 

We also need the following lemma. 

Lemma 6. 111^ An irreducible polynomial over Fg of degree n remains irreducible over 
Fgi if and only if gcd{l,n) = 1. 

Now we can get many differentially 4-uniform permutations by computing the solutions 
of (5). We list two simple examples in the following theorems. 

Theorem 6. If q = 2, ^ is odd and ti = 1, then S = and f is a differentially 

4 -uniform permutation oxer F 2 ". 

Proof. The case of a E S' is proved by Lemma [H Now we consider the case of a ^ S. 
Since g = 2, ^ is odd and = 1, Eq. (5) becomes -|- a -|- 1 = 0, which has no 

solution on F 2 >^. The proof is completed by Lemma [5] and Proposition [2j □ 

Theorem 7. Let gcd(n, 5) = 1 and j be odd. If q = A and ti = 1, then S = {x € F 2 >i : 
x~^ = x~^ -\- 1} and f is a differentially f-uniform permutation over F 2 >i. 

Proof. Similarly to the proof of Theorem[ 6 l we need to show that Eq. (5) has no solution in 
F 2 n\Fg. Since q = A and ti = 1, Eq. (5) becomes g{a) := = 0. 

We remark that <7(0) = 0 has no solution in F 24 and 

g{a) = -|- a® -|- -|- 1 

= (a^ -|- -|- l)(a^ -|- coa^ ua? -|- uPa -|- uP){a'^ -\- -\- ua -|- oj) 

has only irreducible factors with degrees 2 and 5 over F 24 . Since gcd(n,5) = 1 and ^ is 
odd, then we get that g{a) = 0 has no solution on F 2 n by Lemma [H We complete the 
proof. □ 

4 Cryptographic properties of functions constructed 

In this section, we focus on the cryptographic properties of the function / defined by ©• 

It is shown in m that all differentially 4-uniform permutations on F 22 m have algebraic 
degree n — 1 . Since / lies in a more general framework in Theorem 5.3 of m, we have 
that / has the maximum possible algebraic degree re — 1. 

In the following, we give some lower bounds on the nonlinearities of /, present some 
numerical results about the differential spectra and nonlinearities of /, and discuss the 
CCZ-inequivalence between / and some known differential 4-uniform permutations. 
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4.1 Nonlinearity 

Lemma 7. Define the Kloosterman sum over as 

Kn{\)= AGF2.. 

X^¥2n 

The set {Kn{X) : A G F 2 n} is exactly the set of all integers t = 0(mod 4) in the range 

n I 1 n \ -t 

-2 2+^ + 1,2 2+1 ^ _ 

Let [22+1J = 2 and [ 22 +ij = t iov k > 1, t = 0(mod 4) and 22+1 _ ^ ^ ^ < 22 + 1 . We 
have the following result by Lemma [71 

Lemma 8. Let a,b ^ F 2 ^ with Tr( 6 ) = 1. Let k he a positive integer with k \ n. Then 
I ^ |•_]_^Tr(a3;+ba;-l)| < [2^+lj . 

Proof. Since Tr( 6 ) = 1, for any x € F 2 fe we get Tr^( 6 ) 7 ^ 0 and 

Tr(ax + bx~^) = Tr5^(Tr^(ax + bx~^)) = Tr5^(xTr^(a) + x~^Tv^{b)). 

By Lemma O we have that 

I ^ |•_]_^Tr(aa;+fex-l)| _ | ^ ('_l)Tr^(a:Tr^(a)+a:“lTr^(6)) | [ 2 I+IJ. 


Lemma 9. fgl]/ For any even n > Q, we have MC{f) > 2"' i — 2'^/"^— | S' |. 

From Lemma [9l we get a direct lower bound on the nonlinearities of / defined in 
Theorems [31171 For example, we obtain MC{f) > 2"’ i — 2*^/^ — 2 for the function defined 
in Theorem [6l and M£{f) > 2"’“i — 2"’/^ — 4 for the function defined in Theorem [71 In the 
following, we give a more tightly bound on the nonlinearities of / defined in Theorems [3l 
andm 

Proposition 3. If S = F 2 »=i UF 2 fe 2 ? the nonlinearity of the function f defined by Uf) 
satisfies 

MC{f) > 2’"-! - [2tj - L2^+^J - - [2^^%^+ij. 

Especially, we have 

NC{f) > 2"-i - [2tj - [2^+^J 

if ki I k 2 and 

MC{f) > 2"-i - [2tj - [2^+ij - 6 
if ki = 3 and gcd(/i; 2 ,3) = 1. 
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Proof. As we know, the nonlinearity of / is defined by AfC{f) = 2” ^ ^ niax/'^(a, 5), 

where /^(a, b) = ^ a,b £ F 2 ™ and 6/0. We have that 

xe¥2n 

f'^{a,b) = ( —l)'^d«a:+b(a:-l+<5s(a;))) 

xeF2n 

_ ^_ j^^Tr(aa;+ba;“^) _j_ ^_ j^^Tr(ax+ba;“^+b) 

3;SF2n\5 xSS 

If Tr(6) = 0, we get |/'^(a, 6)| = | Y1 (—^)| < by LemmaEl If Tr(6) = 

X^¥2'n 

1, we obtain 

|/^(a,6)| =1 Yj (—— 2 ^ (— 

X^¥2n X^S 

<1 Yf ( —I + 2| y~^ ^_2^Tr(aa;+fex~^) I 

XSF2n IGS 


Notice that 


y~^ ^_2^Tr(aa:+fex“l) _ ^ ^_2^Tr(ax+6x“l) _j_ ^ |'_2^Tr(ax+6x“l) 


x€S 




xSF, 


2*^2 


y~^ j^jTr(ax+6x“i) 

^^^2S'=d(fcl,fc2) 


then we obtain 

|/'^(a,6)| < L2t+ij +2(L2^+ij ^ ^2^+ij ^ 

from Lemma [HI which implies that 

MCif) > 2^-^ - [2tj - L2^+^J - 

If /ci I k 2 , we can get S = F 2 fe 2 and MC{f) > 2"“^ — [22 J — [ 2 ‘ 2 ‘+^J by Lemma [8] directly. 
Furthermore, if /ci = 3 and k 2 is even, we have 


MC{f) > 2^-^ - [2tj - [2^+ij - 6 
since | Y (—1< 4 and | Y (—< 2. 

xGFjS 3;eF2 


□ 


4.2 Numerical results and CCZ-inequivalence 

For even n < 12, we computed the nonlinearities and differential spectra of the functions 
in Section 3 by using the MAGMA software system. Some of the computational results 
are listed in Tables 1-3, where the notation T’(/) represents the differential spectrum of 
a function /, B{f) represents a bound on the nonlinearity of /, and the multiset M = 
• • • ,a["*} means the elements a* appears times in M for 1 < i < t. 

By Tables 1-3, we conclude that Theorems |3]|7| present several differentially 4-uniform 
permutations CCZ-inequivalent to the ones defined in Theorem 1. Especially, compared 
to the numerical results in Tables III and IV of m, Tables 2 and 3 list some new results 
on nonlinearities and differential spectra when n = 10 and 12. 
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Table 1: Nonlinearities and differential spectra of fnnctions in Section 3 over F 26 


s 

/ 

V£(/) 

VU) 

m 

F 2 

Theorem [1] 

24 

jg2079 21890 463| 

22 

F 22 

Theorem [1] 

22 


20 

F 23 

Theorem [1] 

22 

|g2199 21650 4l83j 

20 

F 22 U F 23 

Theorem H] 

20 

|g2247 21554 4231| 

14 

F 22 \ F 2 

Theorems 0 El 

22 


22 


Table 2: Nonlinearities and differential spectra of fnnctions in Section 3 over F 210 


S 

/ 

V£(/) 

o(/) 

B{f) 

F 2 

Theorem [1] 

480 

jg524799 2521730 4l023| 

478 

F 22 

Theorem [1] 

478 

jg34335 229250 4l695| 

476 

F 22 \ F 2 

Theorems El El 

478 

jg525879 2519570 42103| 

478 


Table 3: Nonlinearities and differential spectra of fnnctions in Section 3 over F 212 


S 

/ 

V£(/) 


B{f) 

F 22 

Theorem [1] 

1982 

|g839i735"^83702T0"^8T75j 

1980 

F 24 

Theorem [1] 

1978 

|g8419263 28321154 432703| 

1968 

F 26 

Theorem [T] 

1970 

jg8511615 28136450 4l25055| 

1920 

F 24 U F 26 

Theorem [3] 

1966 

jg8534127 28091426 41475671 

1908 

F 24 \ F 22 

Theorem E] 

1978 

|g8415183 28329314 428623 1 

1972 

x~^ + x~^ = 1 

Theorem [7] 

1980 

|g8399055 28361570 4l2495| 

1980 


For n = 12 , by a Magma computation, we checked that there are 1036 elements of F 212 
satisfying Tr(x) = Tr(Y^) = 1 . That is to say, there are 2 ®^® — 1 different sets Si and 2 ®^® 
different sets S in Theorem [5l For a random choice set Si, the functions constructed in 
Theorem [5] (S = Si U (Fig \F 4 )) and Theorem [2] (S = Si) often have different differential 
spectra or nonlinearities, which implies that they are CCZ-inequivalent. We randomly 
choose 10000 different sets Si and compute the nonlinearities of the differentially 4-uniform 
permutations defined in Theorems [5] and [2] separately. The computational results are listed 
in Table 4. The notations Ave(AA£(/)), Max(A/’£(/)) and Min(A/’T(/)) denote the average 
nonlinearity, maximal nonlinearity and minimal nonlinearity of / respectively. 


Table 4: Variance of nonlinearities of 

-0000 samples / on F 212 

S 

/ 

Ave(AA£(/)) 

Max(AA£(/)) 

Min(AA£(/)) 

Si 

Theorem [2] 

1911.106 

1982 

1864 

SiU(Fi6\F4) 

Theorem El 

1910.264 

1978 

1866 


From Table 4, we found that the average nonlinearity of the functions / in Theorem 
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[5] is less than that of the functions / in Theorem [2l This is due to 


|5iU(Fi 6\F4)| > |5i|+4 

since there are exactly four solutions of Tr(a:) = 0 with x G (Fig \ F 4 ) over F 212 . It seems 
that the nonlinearity of / gets smaller when IS"! gets larger, this, however, is not always 
true, below we give some examples. 

Example 1. For n = 12, let a be a primitive element 0 /F 212 defined by + ofi + + 

+ 1 = 0 and Si = {a*|i G 11 }, where 

n = {649,3411,2016, 2422,437,903, 3963, 2464,1914,1180, 3755,2410,119,647, 3624,841, 
2833, 2709, 2352, 4092, 3812, 2696,3166, 2950,1784, 3475, 233,1831,1157,1422,3897,2429, 
918,1363,2910,3955,1372,1785,3013,1589,2021,1721}. 

We can easily check that |S'i| = 42. The nonlinearity of the function f in Theorem is 
1958, while the function in Theorem [H is of nonlinearity 1956. 

Example 2. For n = 12, let a be a primitive element 0 /F 212 defined in Example 1 and 
= {W\i G {3351,1475, 777, 661, 921, 977,4076, 2037, 3359, 2414, 3616, 3033, 3401, 3697, 
3459, 654,3160,123, 3226, 2837, 526, 2832,1182,4094, 3964, 3887,1705,2489,1766,4066,589, 
184,1842,2752}}. We can easily check that |5i| = 34 and the nonlinearities of f defined 
in Theorems\^ and\^ are both 1962. 

Example 3. For n = 12, let a be a primitive element 0 /F 212 defined in Example 1 and 

= {a* I i g {273,546,1092, 2184}}. 

We can check that Si is a subset o/Fig \ F 4 and S = Fig \ F 4 . The nonlinearity of the 
function f in Theorem\^is 1978, while the function in Theorem\^is of nonlinearity 1980. 

5 Conclusion 

In this paper, we refine a general technique for constructing a class of differentially 4- 
uniform permutations by modifying the values of the inverse function on a subset S of 
F 22 m. By using this technique, we get many differentially 4-uniform permutations with 
high nonlinearities and algebraic degrees. Our numerical results support that some of 
them are new and have the nonlinearity approaching the maximum while the size of S is 
not too small. 
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